[Secure-testing-team] Bug#504251: dia: Python scripts load modules from current directory

Sat, 01 Nov 2008 22:28:04 -0700 

Package: dia
Version: 0.96.1-7
Severity: grave
Tags: security patch
Justification: user security hole
Usertags: pythonpath

dia's python interface calls PySys_SetArgv such that Python prepends
sys.path with an empty string.  This allows the possibility to run
arbitrary code on the user's system if there is a python file in dia's
working directory named the same as one that dia's python scripts try to
import.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dia depends on:
pn  dia-common             <none>            (no description available)
pn  dia-libs               <none>            (no description available)
ii  libart-2.0-2           2.3.20-2          Library of functions for 2D graphi
ii  libatk1.0-0            1.22.0-1          The ATK accessibility toolkit
ii  libc6                  2.7-15            GNU C Library: Shared libraries
ii  libcairo2              1.6.4-6.1         The Cairo 2D vector graphics libra
ii  libfontconfig1         2.6.0-1           generic font configuration library
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libglib2.0-0           2.16.6-1          The GLib library of C routines
ii  libgtk2.0-0            2.12.11-4         The GTK+ graphical user interface 
ii  libpango1.0-0          1.20.5-3          Layout and rendering of internatio
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libpopt0               1.14-4            lib for parsing cmdline parameters
ii  libxml2                2.6.32.dfsg-4     GNOME XML library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages dia recommends:
ii  gsfonts-x11                   0.21       Make Ghostscript fonts available t

dia suggests no packages.

--- dia-0.96.1.orig/plug-ins/python/python.c
+++ dia-0.96.1/plug-ins/python/python.c
@@ -102,6 +102,8 @@
     Py_Initialize();
 
     PySys_SetArgv(1, python_argv);
+    /* Sanitize sys.path */
+    PyRun_SimpleString("import sys; sys.path = filter(None, sys.path)");
 
     if (on_error_report())
 	return DIA_PLUGIN_INIT_ERROR;

_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team

Reply via email to